Upstream has issued an advisory today (March 31): https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/ The issue is fixed upstream in 2.5.8 and 2.7.1: https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/ https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-7-1-released/ Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 2.5.8 and 2.7.1Whiteboard: (none) => MGA7TOO
ruby-2.5.8-21.mga7.src.rpm submitted to 7/core/updates_testing
Build failed: http://pkgsubmit.mageia.org/uploads/failure/7/core/updates_testing/20200404211846.pterjan.duvel.46452/log/ruby-2.5.8-21.mga7/build.0.20200405050457.log
Yes and with different failures on aarch64 and armv7hl, and both are different from the one I have in cauldron :(
Cauldron was updated to 2.7.1
Status comment: Fixed upstream in 2.5.8 and 2.7.1 => Fixed upstream in 2.5.8Version: Cauldron => 7Source RPM: ruby-2.7.0-28.mga8.src.rpm, ruby-2.5.7-20.mga7.src.rpm => ruby-2.5.7-20.mga7.src.rpm
Fedora has issued an advisory for this today (May 22): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/
ruby-2.5.8-21.mga7 is finally available updates_testing!
Advisory: ======================== Updated ruby packages fix security vulnerability: An issue was discovered in Ruby through 2.5.7. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter (CVE-2020-10933). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10933 https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/ https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/ ======================== Updated packages in core/updates_testing: ======================== ruby-2.5.8-21.mga7 libruby2.5-2.5.8-21.mga7 ruby-doc-2.5.8-21.mga7 ruby-devel-2.5.8-21.mga7 ruby-openssl-2.1.2-21.mga7 ruby-power_assert-1.1.1-21.mga7 ruby-irb-2.5.8-21.mga7 ruby-did_you_mean-1.2.0-21.mga7 ruby-io-console-0.4.6-21.mga7 ruby-psych-3.0.2-21.mga7 ruby-net-telnet-0.1.1-21.mga7 ruby-test-unit-3.2.7-21.mga7 ruby-xmlrpc-0.3.0-21.mga7 from ruby-2.5.8-21.mga7.src.rpm
Assignee: pterjan => qa-bugsCC: (none) => pterjanWhiteboard: MGA7TOO => (none)Status comment: Fixed upstream in 2.5.8 => (none)
Whatever mirror I try: pckage not found.
CC: (none) => herman.viaene
Sorry, just noticed that my qarepo was pointing to version 6.
mga7, x86_64 Before update this very simple client/server copied from the ruby "Pickaxe" manual runs fine: $ rpm -q ruby ruby-2.5.7-20.mga7 $ cat bs.rb require 'socket' socket = UDPSocket.new socket.bind( "127.0.0.1", 12121 ) loop do msg, sender = socket.recvfrom( 100 ) host = sender[3] timestamp = Time.now puts "#{timestamp}: #{host} '#{msg}'" STDOUT.flush end [Terminal 1] $ ruby bs.rb In another terminal: $ irb irb(main):001:0> require 'socket' => true irb(main):002:0> log = UDPSocket.new => #<UDPSocket:fd 9, AF_INET, 0.0.0.0, 0> irb(main):003:0> log.connect( "127.0.0.1", 12121 ) => 0 irb(main):004:0> log.print "Up and running" => nil irb(main):005:0> log.print "Done! Over and out" => nil irb(main):006:0> quit [Terminal 1] 2020-07-06 10:04:00 +0100: 127.0.0.1 'Up and running' 2020-07-06 10:04:41 +0100: 127.0.0.1 'Done! Over and out' Somebody who knows something about the BasickSocket library could probably construct a PoC test for CVE-2020-10933. The length of the returned buffer could be checked and if it matches the requested size the whole buffer could be compared with the message string to see if it contains odd characters beyond the end of string. Experimented with socket.read_nonblock but do not know if the fix is applied at that point. buffer = "rubbish ......" flag = socket.read_nonblock( 200, buffer, exception: false ) puts flag.class, flag.to_sym puts buffer.length puts buffer.slice( 0..199 ) $ ruby bsx.rb Symbol wait_readable 200 rubbish ......�#��#��#/#�G�lB0=98�A8�A��@�9�:90�A ------------------------------------------------------------------------------ Updated all the packages. $ ruby --version ruby 2.5.8p224 (2020-03-31 revision 67882) [x86_64-linux] CVE-2020-10933 $ ruby bsx.rb Symbol wait_readable 14 rubbish ...... This was repeatable so it looks encouraging. Tested ruby against an array of local scripts which mainly exercize boiler-plate code, various gems and ruby-tk calls. One makes http requests and others interact with ffmpeg, get_iplayer, mplayer and vlc, deal with astronomical calculations and print directly to a wifi printer. No regressions encountered, yet. $ gem list *** LOCAL GEMS *** astro_moon (0.2) coderay (1.1.3) daemons (1.3.1) did_you_mean (1.2.0) eventmachine (1.2.7) ffi (1.11.3) glib2 (3.4.1) gtk (0.1.0) image_processing (1.11.0, 1.10.3, 1.10.2) json (2.1.0) ..... $ sudo gem install nokogiri Fetching: mini_portile2-2.4.0.gem (100%) Successfully installed mini_portile2-2.4.0 Fetching: nokogiri-1.10.9.gem (100%) Building native extensions. This could take a while... Successfully installed nokogiri-1.10.9 Parsing documentation for mini_portile2-2.4.0 Installing ri documentation for mini_portile2-2.4.0 Parsing documentation for nokogiri-1.10.9 Installing ri documentation for nokogiri-1.10.9 Done installing documentation for mini_portile2, nokogiri after 1 seconds 2 gems installed $ irb irb(main):001:0> Dir.chdir( Dir.home+"/ruby/scriptlets" ) => 0 irb(main):002:0> File.readlines( "jabberwocky" ).each { |line| puts line } Twas brillig and the slithy toves Did gyre and and gimble in the wabe. All mimsy were the borogoves And the mome raths outgrabe. => ["Twas brillig and the slithy toves\n", "Did gyre and and gimble in the wabe.\n", "All mimsy were the borogoves\n", "And the mome raths outgrabe.\n", "\n", "\n"] irb(main):003:0> quit $ irb irb(main):001:0> plink = "Just a drop in the ocean" => "Just a drop in the ocean" irb(main):002:0> puts plonk Traceback (most recent call last): 2: from /usr/bin/irb:11:in `<main>' 1: from (irb):2 NameError (undefined local variable or method `plonk' for main:Object) Did you mean? plink $ urpmq --whatrequires lib64ruby2.5 | sort -u | wc -l 70 $ strace -o paddb.trace ruby ~/bin/padlab $ grep ruby paddb.trace | grep lib ..... openat(AT_FDCWD, "/usr/lib64/ruby/enc/windows_1257.so", O_RDONLY|O_CLOEXEC) = 10 openat(AT_FDCWD, "/usr/lib64/ruby/enc/shift_jis.so", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = 10 openat(AT_FDCWD, "/usr/lib64/ruby/enc/shift_jis.so", O_RDONLY|O_CLOEXEC) = 10 openat(AT_FDCWD, "/usr/lib64/ruby/enc/gbk.so", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = 10 openat(AT_FDCWD, "/usr/lib64/ruby/enc/gbk.so", O_RDONLY|O_CLOEXEC) = 10 openat(AT_FDCWD, "/usr/lib64/gems/ruby/tk-0.2.0/tkutil.so", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = 10 ..... $ strace -o calco.trace ~/bin/calco $ grep lib calco.trace | grep -v "(No such" | grep -v tk > libs $ less libs openat(AT_FDCWD, "/lib64/libruby.so.2.5", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, " /usr/lib64/libm-2.29.s"..., 1024) = 1024 ..... vim is listed, so... $ strace -o vim.trace vim weather $ cat vim.trace | grep lib | grep ruby | grep -v "No such" openat(AT_FDCWD, "/lib64/libruby.so.2.5", O_RDONLY|O_CLOEXEC) = 3 Enough already.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
@Herman: comment 8. Sorry, this was just on its way.
Great, saved me some headache how to test this!!!
Great work,guys! Validating. Advisory in Comment 7.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0285.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED